Systems, methods, and media for managing user credentials

ABSTRACT

Receiving a first username of a first user account (FAU) and a biometric signature (BS) of a user; in response to determining that BS matches a stored signature of FAU, presenting indications of a group of available services (GAS); receiving a selection of a service of GAS; transmitting an identifier of the selected service (SS); receiving an encrypted username (EU) and an encrypted password (EP) of a second user account (SAU) of SS; decrypting EU and EP; opening a first page that corresponds to a login page (LP) of SS; launching a script that identifies a username entry field (UEF) and a password entry field (PEF) on LP; entering the decrypted username (DU) in UEF and the decrypted password (DP) in PEF; and selecting a submit button (SB) within LP, wherein selecting SB to be selected causes SAU to be authenticated using DU and DP.

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation of U.S. patent application Ser. No.16/163,416, filed Oct. 17, 2018, which is hereby incorporated byreference herein in its entirety.

TECHNICAL FIELD

The disclosed subject matter relates to systems, methods, and media formanaging user credentials.

BACKGROUND

Users frequently have different usernames and passwords for manydifferent applications or user accounts. For example, a user might havea first username and password for an email account and a differentusername and password for an online banking account. It can be difficultto remember many different usernames and passwords. To rememberdifferent usernames and passwords, users often write down usernames andpasswords, either on paper or in a digital file. However, this cancreate a security risk, for example, for the information to be stolenand maliciously used.

Accordingly, it is desirable to provide new systems, methods, and mediafor managing user credentials.

SUMMARY

Systems, methods, and media for managing user credentials are provided.

In some embodiments, systems for managing user credentials are provided,the systems comprising: at least one hardware processor configured to:receive a first username corresponding to a first user account of anapplication for managing user credentials and a biometric signature of auser; in response to determining that the biometric signature of theuser matches a stored signature corresponding to the first user account,cause indications of a group of available services to be presented;receive a selection of a service of the group of available services;transmit, to a server, an identifier corresponding to the selectedservice; receive, from the server, an encrypted username and anencrypted password corresponding to a second user account of theselected service; decrypt the encrypted username and the encryptedpassword; cause a first page to be opened that corresponds to a loginpage of the selected service; cause a script to be launched, wherein thescript identifies a username entry field and a password entry field onthe login page; cause, using the script, the decrypted username to beentered in the username entry field and the decrypted password to beentered in the password entry field; and cause, using the script, asubmit button within the login page to be selected, wherein causing thesubmit button to be selected causes the second user account to beauthenticated using the decrypted username and the decrypted password.

In some embodiments, methods for managing user credentials are provided,the methods comprising: receiving, at a user device, a first usernamecorresponding to a first user account of an application for managinguser credentials and a biometric signature of a user of the user device;in response to determining that the biometric signature of the usermatches a stored signature corresponding to the first user account,causing indications of a group of available services to be presented onthe user device; receiving, at the user device, a selection of a serviceof the group of available services; transmitting, to a server, anidentifier corresponding to the selected service; receiving, from theserver, an encrypted username and an encrypted password corresponding toa second user account of the selected service; decrypting the encryptedusername and the encrypted password; causing, on the user device, afirst page to be opened that corresponds to a login page of the selectedservice; causing, at the user device, a script to be launched, whereinthe script identifies a username entry field and a password entry fieldon the login page; causing, at the user device by the script, thedecrypted username to be entered in the username entry field and thedecrypted password to be entered in the password entry field; andcausing, using the script, a submit button within the login page to beselected, wherein causing the submit button to be selected causes thesecond user account to be authenticated using the decrypted username andthe decrypted password.

In some embodiments, non-transitory computer-readable media containingcomputer executable instructions that, when executed by a processor,cause the processor to perform a method for managing user credentialsare provided, the method comprising: receiving, at a user device, afirst username corresponding to a first user account of an applicationfor managing user credentials and a biometric signature of a user of theuser device; in response to determining that the biometric signature ofthe user matches a stored signature corresponding to the first useraccount, causing indications of a group of available services to bepresented on the user device; receiving, at the user device, a selectionof a service of the group of available services; transmitting, to aserver, an identifier corresponding to the selected service; receiving,from the server, an encrypted username and an encrypted passwordcorresponding to a second user account of the selected service;decrypting the encrypted username and the encrypted password; causing,on the user device, a first page to be opened that corresponds to alogin page of the selected service; causing, at the user device, ascript to be launched, wherein the script identifies a username entryfield and a password entry field on the login page; causing, at the userdevice by the script, the decrypted username to be entered in theusername entry field and the decrypted password to be entered in thepassword entry field; and causing, using the script, a submit buttonwithin the login page to be selected, wherein causing the submit buttonto be selected causes the second user account to be authenticated usingthe decrypted username and the decrypted password.

BRIEF DESCRIPTION OF THE DRAWINGS

Various objects, features, and advantages of the disclosed subjectmatter can be more fully appreciated with reference to the followingdetailed description of the disclosed subject matter when considered inconnection with the following drawings, in which like reference numeralsidentify like elements.

FIG. 1 shows an example of a user interface for logging-in to a useraccount in accordance with some embodiments of the disclosed subjectmatter.

FIGS. 2 and 3 show examples of user interfaces for resetting biometricsignatures in accordance with some embodiments of the disclosed subjectmatter.

FIG. 4 shows an example of a user interface for selecting an availableservice or website in accordance with some embodiments of the disclosedsubject matter.

FIG. 5 shows an example of a user interface for automatically filling-ina username and a password in accordance with some embodiments of thedisclosed subject matter.

FIG. 6 shows an example of a user interface corresponding to a servicethat has been successfully logged-in to in accordance with someembodiments of the disclosed subject matter.

FIG. 7 shows an example of a user interface that indicates that multipleservices have been logged-in to in accordance with some embodiments ofthe disclosed subject matter.

FIG. 8 shows an example of a process for signing-in to an account usinga biometric signature in accordance with some embodiments of thedisclosed subject matter.

FIG. 9 shows an example of a process for signing-in to an account usinga biometric signature and a mobile device in accordance with someembodiments of the disclosed subject matter.

FIG. 10 shows an example of a process for automatically entering usercredentials for a selected service or website in accordance with someembodiments of the disclosed subject matter.

FIG. 11 shows an example of a process for resetting or confirming abiometric signature in accordance with some embodiments of the disclosedsubject matter.

FIG. 12 shows an example of a process for adding a new service or awebsite to a group of available services and/or websites in accordancewith some embodiments of the disclosed subject matter.

FIG. 13 shows a schematic diagram of an illustrative system suitable formanaging user credentials in accordance with some embodiments of thedisclosed subject matter.

FIG. 14 shows a detailed example of hardware that can be used in aserver and/or a user device of FIG. 13 in accordance with someembodiments of the disclosed subject matter.

DETAILED DESCRIPTION

In accordance with various embodiments, mechanisms (which can includemethods, systems, and media) for managing user credentials are provided.

In some embodiments, the mechanisms described herein can store usercredentials for accessing multiple user accounts of a user for differentwebsites, apps, or services. For example, in some embodiments, themechanisms can store user credentials (e.g., a username and/or apassword) for user accounts for accessing an email account, accessing asocial networking account, accessing a bank account, and/or any othersuitable websites, apps, or services. Additionally or alternatively, insome embodiments, the mechanisms described herein can be used to changea password associated with a particular user account to a randomlygenerated password, update the password associated with the useraccount, and store the new password.

In some embodiments, the mechanisms described herein can be implementedas an application that can be used by a user to securely access multipleuser accounts. For example, in some embodiments, the user can log-in tothe application, and, after successfully logging-in, can select aparticular website, app, or service (e.g., a particular email service, aparticular social networking service, a particular banking service,and/or any other suitable website or service) for which the user hasstored user credentials to access. In some embodiments, after selectinga particular website, app, or service for which the user has previouslystored user credentials, the mechanisms can retrieve a username andpassword associated with the selected website, app, or service, and cancause the retrieved username and password to automatically be enteredinto user login text boxes associated with the selected website, app, orservice, as described below in more detail in connection with FIG. 10.

In some embodiments, the user can log-in to the application to accessdifferent websites, apps, or services in any suitable manner. Forexample, in some embodiments, the user can enter a usernamecorresponding to the application and can submit a user signature forvalidation (e.g., entered via a touchscreen, and/or in any othersuitable manner). In some such embodiments, the mechanisms can verifythe validity of the signature, and can allow the user access to theapplication in response to validating the signature.

Turning to FIG. 8, an example 800 of a process for using a signature tolog-in to an application is shown in accordance with some embodiments ofthe disclosed subject matter.

Process 800 can begin at 802 and can proceed to 804. At 804, process 800can receive a username associated with an application for accessingavailable services, apps, or websites that require authentication. Insome embodiments, the username can be received in any suitable manner.For example, in some embodiments, the username can be entered via a userinterface, such as user interface 100 shown in FIG. 1. In some suchembodiments, user interface 100 can be presented in any suitable manner.For example, in some embodiments, user interface 100 can be presented aspart pf an application for accessing available services, websites,and/or apps being selected (e.g., on a mobile device, on a desktopcomputer, and/or on any other suitable device).

At 806, process 800 can receive a biometric signature of a user. In someembodiments, the biometric signature can be received in any suitablemanner. For example, in some embodiments, the biometric signature can bereceived via a gesture on a touchscreen associated with a device thatpresented user interface 100. In some embodiments, the biometricsignature can include any suitable information. For example, in someembodiments, the biometric signature can be a fingerprint of the user.As another example, in some embodiments, the biometric signature can bea handwritten gesture of the user.

At 808, process 800 can validate the username with the signature. Insome embodiments, process 800 can validate the username and thebiometric signature using any suitable technique or combination oftechniques. For example, in some embodiments, process 800 can transmitthe username and the signature to an application web server 1312 asshown in FIG. 13. In some embodiments, application web server 1312 canverify that the username exists using a member database server 1302, asshown in FIG. 13. If the username exists, application web server 1312can determine a unique identifier associated with the username, and cantransmit a query that includes the unique identifier and the biometricsignature to a biometric signature server 1304, as shown in FIG. 13. Insome embodiments, application web server 1312 can then receive aresponse from biometric signature server 1304 that indicates whether theusername and biometric signature are valid. For example, in someembodiments, biometric signature server 1304 can determine whether thebiometric signature matches a biometric signature previously submittedby the user using any suitable technique(s).

At 810, process 800 can determine if the username and biometricsignature are valid. For example, in some embodiments, process 800 candetermine whether the username and signature are valid based on aresponse from biometric signature server 1304, as described above. As amore particular example, in some embodiments, process 800 can determinethat the username and signature are valid in response to receiving aresponse indicating that the biometric signature matches a biometricsignature previously submitted by a user associated with the username.As another more particular example, in some embodiments, process 800 candetermine that the username and signature are not valid in response toreceiving a response indicating that the biometric signature does notmatch a biometric signature previously submitted by a user associatedwith the username.

If, at 810, process 800 determines that the username and the biometricsignature are not valid (“no” at 810), process 800 can end at 816.

If, at 810, process 800 determines that the username and the signatureare valid (“yes” at 810), process 800 can allow the user access to anapplication for available services or websites at 812. For example, insome embodiments, process 800 can display a home page associated withthe application.

At 814, process 800 can display a user interface that indicatesavailable websites, apps, and/or services.

Turning to FIG. 4, an example 400 of a user interface for displayingindications of available websites, apps, and/or services is shown inaccordance with some embodiments of the disclosed subject matter. Asillustrated in FIG. 4, user interface 400 can include indications of anysuitable number (one, two, five, ten, twenty, and/or any other suitablenumber) of websites, apps, and/or services that require a user tolog-in. For example, in some embodiments, user interface 400 can includeindications of websites, apps, and/or services for accessing an emailaccount, accessing a social networking account, accessing a bankingaccount, and/or any other suitable services or websites. In someembodiments, each indication can include any suitable information orcontent, such as an icon or image associated with the website, app,and/or service, a name of the website, app, and/or service, and/or anyother suitable content.

Referring back to FIG. 8, process 800 can then end at 816.

Turning to FIG. 9, an example 900 of a process for using a mobile deviceto log-in to an application for accessing available websites, apps,and/or services that require user authentication is shown in accordancewith some embodiments of the disclosed subject matter.

Process 900 can begin at 902 and can proceed to 904. At 904, process 900can receive a username associated with an application for accessingavailable websites, apps, and/or services. In some embodiments, theusername can be received in any suitable manner. For example, in someembodiments, the username can be entered via a user interface, such asuser interface 100 shown in FIG. 1. In some such embodiments, userinterface 100 can be presented in any suitable manner. For example, insome embodiments, user interface 100 can be presented as part of anapplication for accessing available websites, apps, and/or servicesbeing selected (e.g., on a mobile device, a desktop computer, and/or onany other suitable device).

At 906, process 900 can validate the username. For example, in someembodiments, process 900 can transmit a query to member database server1302 (as shown in FIG. 13) that determines whether the username existsin a database of existing users.

Process 900 can determine whether the username is valid at 908. In someembodiments, process 900 can determine whether the username is validbased on any suitable information, such as a response from memberdatabase server 1302 that indicates whether the username exists in adatabase of existing users, as described above.

If, at 908, process 900 determines that the username is not valid ordoes not exist (“no” at 908), process 900 can end at 920.

If, at 908, process 900 determines that the username is valid and/oralready exists (“yes” at 908), process 900 can proceed to 910 and caninitiate a session corresponding to a mobile device associated with theusername. In some embodiments, process 900 can initiate the sessioncorresponding to a mobile device associated with the username using anysuitable technique or combination of techniques. For example, in someembodiments, process 900 can identify a unique member identifierassociated with the username and/or a mobile device identifier (e.g.,corresponding to a mobile phone, tablet computer, and/or other mobiledevice associated with the username). As a more particular example, insome embodiments, process 900 can initiate the session using informationstored in a communication server 1310, as shown in FIG. 13. Process 900can then wait for a response from the mobile device, at 912 and 913.

At 912, process 900 can determine whether at response was received. Ifso, (“yes” at 912), process 900 can proceed to 914. Otherwise, process900 can proceed to 913 (“no” at 912).

At 913, process 900 can determine whether a predetermined duration oftime has elapsed since the session was initiated without a response fromthe mobile device. In some embodiments, the predetermined duration oftime can be any suitable amount of time (e.g., one minute, two minutes,five minutes, and/or any other suitable duration of time).

If, at 913, process 900 determines that the predetermined duration oftime has elapsed (“yes” at 913), process 900 can end at 920.

If, at 913, process 900 determines that the predetermined duration oftime has not yet elapsed (“no” at 913), process 900 can proceed to 912and can continue to wait for a response from the mobile device.

In some embodiments, the response can include any suitable information.For example, in some embodiments, the response can include a biometricsignature from a user of the mobile device entered using a touchscreenand/or a stylus of the mobile device. As described above in connectionwith FIG. 8, in some embodiments, the biometric signature can includeany suitable information, such as a fingerprint of the user, ahandwritten gesture by the user, and/or any other suitable type ofsignature.

At 916, process 900 can validate the response from the mobile device.For example process 900 can validate a biometric signature received fromthe mobile device. As a more particular example, process 900 candetermine whether a biometric signature received from the mobile devicematches a biometric signature previously submitted by a user associatedwith the username, as described above in more detail in connection withFIG. 8.

If, at 916, process 900 determines that the response from the mobiledevice is invalid (“no” at 916), process 900 can end at 920.

If, at 916, process 900 determines that the response from the mobiledevice is valid (“yes” at 916) process 900 can allow the user to accessan interface for accessing available websites, apps, and/or services at918. For example, in some embodiments, process 900 can display a homepage associated with the application. An example of such a userinterface is shown in FIG. 4 and is described above.

Process 900 can then end at 920.

Turning to FIG. 10, an example 1000 of a user interface forautomatically logging-in to a website, app, and/or service of a group ofavailable websites, apps, and/or services and changing a passwordassociated with the website, app, and/or service is shown in accordancewith some embodiments of the disclosed subject matter.

Process 1000 can begin at 1002 and can proceed to 1004. At 1004, process1000 can receive a selection of a website, app, and/or service from agroup of available website, apps, and/or services. For example, in someembodiments, the selection can be received via a user interfaceassociated with an application for accessing available websites, apps,and/or services, such as user interface 400 shown in FIG. 4 (describedabove). In some embodiments, the selected website, app, and/or servicecan correspond to any suitable website, app, and/or service thatrequires a user to log-in to a user account to access information and/orfeatures. For example, as described above, the website, app, and/orservice can be an application or website for accessing an email account,accessing a social networking account, accessing a bank account, and/orany other suitable website, app, and/or service. In some embodiments, inresponse to receiving a selection of the website, app, and/or service,process 1000 can retrieve or identify an identifier corresponding to theselected website, app, and/or service.

At 1006, process 1000 can retrieve a username and/or a passwordcorresponding to the selected website, app, and/or service. In someembodiments, the username and/or the password can be encrypted in anysuitable manner. In some embodiments, process 1000 can retrieve theusername and/or the password using any suitable technique or combinationof techniques. For example, in some embodiments, process 1000 canretrieve the username and/or the password by transmitting a query toand/or connecting to a trusted app database server 1306, as shown inFIG. 13.

At 1008, process 1000 can retrieve a private PKI key corresponding tothe username. In some embodiments, process 1000 can retrieve the privatePKI key corresponding to the username using any suitable technique(s).For example, in some embodiments, process 1000 can retrieve the privatePKI key from member database server 1302, as shown in FIG. 13. In someembodiments, process 1000 can additionally identify a private PKI keycorresponding to the system. In some embodiments, the private PKIcorresponding to the system can be identified in any suitable manner.For example, in some embodiments, the private PKI key corresponding tothe system can be a global variable stored in memory of a user deviceexecuting the application that can be accessed by the application.

At 1010, process 1000 can decrypt the username and the passwordretrieved at 1006 using the private PKI key corresponding to the userand the private PKI key corresponding to the system. In someembodiments, any suitable PKI decryption algorithm can be used.

At 1012, process 1000 can launch the selected website, app, and/orservice. In some embodiments, the selected website, app, and/or servicecan be launched in any suitable manner. For example, in someembodiments, the selected website, app, and/or service can be launchedin a new browser tab of a browser window executing on a user device onwhich the website, app, and/or service was selected at 1004. In someembodiments, the website, app, and/or service can be launched by loadinga URL corresponding to the selected website, app, and/or service orwebsite. In some embodiments, the launched page can include one or moretext entry boxes for entering user credentials to access a user accountassociated with the selected website, app, and/or service.

At 1014, process 1000 can use a script to search a page corresponding tothe launched website, app, and/or service for a username textbox and/ora password text box. In some embodiments, any suitable type of scriptcan be used (e.g., a JavaScript script, and/or any other suitablescript). In some embodiments, process 1000 can wait until the pagecorresponding to the launched website, app, and/or service has fullyloaded before using the script to search the page for the username andpassword text boxes.

At 1016, process 1000 can use the script to fill-in the identifiedusername and password text boxes. For example, in some embodiments,process 1000 can cause the decrypted username from 1010 to be enteredinto a username textbox. As another example, in some embodiments,process 1000 can use the decrypted username from 1010 to be entered intoa password textbox. In some embodiments, process 100 can then cause asubmit button on the page corresponding to the launched service orwebsite to be selected, for example, using the script. An example of auser interface in which the username and password have been entered isshown in user interface 500 of FIG. 5.

In some embodiments, submission of a username and password can cause asecond page associated with the website, app, and/or service to bepresented, for example, as shown in user interface 600 of FIG. 6. Forexample, in an instance where the website, app, and/or service is awebsite, app, and/or service for accessing email, the second page caninclude an inbox corresponding to the submitted username. As anotherexample, in an instance where the website, app, and/or service is awebsite, app, and/or service for accessing a bank account, the secondpage can include an accounts summary page, and/or any other suitableinformation. In some embodiments, in an instance where multiplewebsites, apps, and/or services have been launched using the techniquesdescribed above in connection with process 1000, a page corresponding toeach website, app, and/or service can be launched in a new tab of abrowser window, as shown in user interface 700 of FIG. 7.

At 1018, process 1000 can change the password associated with theselected website, app, and/or service using random characters. Forexample, in some embodiments process 1000 can generate a password thatincludes any suitable number (e.g., five, ten, and/or any other suitablenumber) of randomly selected alphanumeric and/or other characters (e.g.,punctuation symbols, and/or any other suitable characters). In someembodiments, process 1000 can wait until the username and passwordsubmitted at 1016 have been verified and a subsequent page (e.g., thesecond page described above in connection with 1016) has fully loadedbefore generating a randomized password.

Note that, in some embodiments, process 1000 can determine that a newpassword is to be generated in response to any suitable criteria. Forexample, in some embodiments, process 1000 can determine that more thana predetermined duration of time (e.g., more than one month, more thansix months, and/or any other suitable duration of time) has elapsedsince a previous time a password associated with the selected website,app, and/or service has been changed. As another example, in someembodiments, process 1000 can determine that a new password is to begenerated in response to receiving an explicit indication from a user ofthe user device that the password is to be changed (e.g., via aselection of a “change password” button in a user interface, and/or inany other suitable manner).

In some embodiments, process 1000 can then use a password change script(e.g., a JavaScript script, and/or any other suitable type of script) tochange a password associated with the username to the randomizedpassword generated (as described above). For example, in someembodiments, the script can cause a “change password” option to beselected from a security menu or from a settings panel.

At 1020, process 1000 can retrieve a public PKI key corresponding to auser associated with the username. For example, in some embodiments,process 1000 can identify a user identifier corresponding to a currentapplication session, and can then identify the public PKI key associatedwith the user identifier. In some embodiments, process 1000 can retrievethe public PKI key using member database server 1302, as shown in FIG.13. Additionally, in some embodiments, process 1000 can identify apublic PKI key corresponding to the system. In some embodiments, thepublic PKI key corresponding to the system can be stored in memory ofthe user device executing the application (e.g., as a global variable,and/or in any other suitable manner), and can be accessed by theapplication.

At 1022, process 1000 can encrypt the decrypted username of 1010 and canencrypt the password generated at 1018. In some embodiments, process1000 can encrypt the username and the password using the public PKI keycorresponding to the user, the public PKI key corresponding to thesystem, and any suitable PKI encryption algorithm.

At 1024, process 1000 can update the username and password stored inassociation with a user identifier and the selected service or websitefor future use. For example, in some embodiments, process 1000 can causethe encrypted username and the encrypted password to be stored inassociation with an application identifier associated with the selectedapplication and the user identifier on trusted app database server 1306.

Process 1000 can then end at 1026.

Turning to FIG. 11, an example 1100 of a process for updating abiometric signature used for user validation in accordance with someembodiments of the disclosed subject matter. In some embodiments,process 1100 can be executed at any suitable frequency (e.g., once permonth, once per year, and/or at any other suitable frequency) tomaintain an updated version of a user signature that is used to log-into an application for accessing services or websites, as described abovein connection with FIGS. 8 and 9.

Process 1100 can begin at 1102 and can proceed to 1104. At 1104, process1100 can receive a username of a user. In some embodiments, process 1100can receive the username in any suitable manner. For example, in someembodiments, process 1100 can receive the username via a user interfacepresented on a user device, as shown in user interface 200 of FIG. 2.

At 1106, process 1100 can validate the username. For example, in someembodiments, process 1100 can validate the username by transmitting aquery to member database server 1302, as shown in FIG. 13.

At 1108, process 1100 can determine whether the username is valid basedon any suitable information. For example, in some embodiments, process1100 can determine that the username is valid based on a response frommember database server 1302 that indicates that the username exists in adatabase stored on member database server 1302. As another example, insome embodiments, process 1100 can determine that the username isinvalid based on a response from member database server 1302 thatindicates that the username does not exist in a database stored onmember database server 1302.

If, at 1108, process 1100 determines that the username is not valid(“no” at 1108), process 1100 can end at 1120.

If, at 1108, process 1100 determines that the username is valid (“yes”at 1108), process 1100 can proceed to 1110 and can determine a uniqueidentifier corresponding to the username and can set any suitableindicator that a biometric signature associated with the username and/orthe unique identifier is to be updated and/or verified. Note that, insome embodiments, the indicator can be set based on any other suitablecriteria, such as that more than a predetermined amount of time haselapsed since a previous update or verification of the biometricsignature (e.g., more than a month, more than a year, and/or any othersuitable duration of time).

At 1112, process 1100 can identify a mobile phone number associated withthe username and/or the unique identifier associated with the username(e.g., a mobile phone number stored on member database server 1302,and/or stored in any other suitable device), and can transmit a passcodeto the mobile phone using the mobile phone number. In some embodiments,process 1100 can generate a passcode of any suitable number of randomlygenerated alphanumeric characters and/or other characters prior totransmitting the passcode to the mobile phone.

At 1114, process 1100 can receive a passcode via a user interfacepresented on the user device (e.g., the user device that received theusername at 1104). An example of a user interface for entering apasscode is shown in user interface 300 of FIG. 3.

At 1116, process 1100 can determine whether the passcode received at1114 matches the passcode transmitted to the mobile phone at 1112.

If, at 1116, process 1100 determines that the passcode received at 1114does not match the passcode transmitted to the mobile phone at 1112(“no” at 1116), process 1100 can end at 1120.

If, at 1116, process 1100 determines that the passcode received at 1114matches the passcode transmitted to the mobile phone at 1112 (“yes” at1116), process 1100 can proceed to 1118 and can request that a user ofthe user device submit an updated signature. In some embodiments, theupdated signature can be received in any suitable manner, such as via atouchscreen of the user device. As described above in connection withFIGS. 8 and 9, the signature can include any suitable information, suchas a fingerprint of the user, a handwritten gesture by the user, and/orany other suitable type of signature. In some embodiments, process 1100can update a biometric signature associated with the username and/or theunique user identifier to the received signature. Additionally oralternatively, in some embodiments, process 1100 can compare thereceived signature to a previously submitted signature to verify theidentity of the user.

Process 1100 can then end at 1120.

Turning to FIG. 12, an example 1200 of a process for adding a website,app, and/or service to a group of available websites, apps, and/orservices is shown in accordance with some embodiments of the disclosedsubject matter.

Process 1200 can begin at 1202 and can proceed to 1204. At 1204, process1200 can receive a selection of a website, app, and/or service to beadded to the group of available websites, apps, and/or services. In someembodiments, the selection of the website, app, and/or service can bereceived in any suitable manner. For example, in some embodiments, theselection can be received from a selection of a website, app, and/orservice from a listing of websites, apps, and/or services supported byan application for accessing websites, apps, and/or services. In someembodiments, the selection can be received via a user interfacepresented as part of an application for accessing web sites, apps,and/or services.

At 1206, process 1200 can receive a username and a passwordcorresponding to a user account associated with the selected website,app, and/or service. For example, in some embodiments, the username andpassword can correspond to user credentials to access an existingaccount associated with the selected website, app, and/or service. Insome embodiments, the username and the password can be received in anysuitable manner, for example, via a user interface presented on a userdevice used to select the website, app, and/or service at 1204.

At 1208, process 1200 can retrieve a public PKI key associated with theuser. In some embodiments, process 1200 can identify a unique useridentifier associated with the user and can retrieve the public PKI keyusing the user identifier, for example, from member database server1302. In some embodiments, process 1200 can additionally identify apublic PKI key corresponding to the system. For example, in someembodiments, the public PKI key corresponding to the system can bestored in memory of the user device (e.g., as a global variable, and/orin any other suitable manner) and can be accessed by the application foraccessing services or websites.

At 1210, process 1200 can encrypt the username and the password. In someembodiments, process 1200 can encrypt the username and the passwordusing the public PKI key corresponding to the user, the public PKI keycorresponding to the system, and any suitable PKI encryption algorithm.

At 1212, process 1200 can store the encrypted username and the encryptedpassword in connection with an identifier of the selected website, app,and/or service. For example, in some embodiments, process 1200 can storethe encrypted username and the encrypted password on trusted appdatabase server 1306, as shown in FIG. 13.

Process 1200 can then end at 1214.

Turning to FIG. 13, an example 1300 of hardware for managing usercredentials that can be used in accordance with some embodiments of thedisclosed subject matter is shown. As illustrated, hardware 1300 caninclude a member database server 1302, a biometric signature server1304, a trusted app database server 1306, a personal app server 1308, acommunication server 1310, an app web server 1312, a communicationnetwork 1314, and one or more user devices 1316, such as user devices1318 and 1320.

In some embodiments, functions performed by each of servers 1302-1312are described above in connection with FIGS. 8-12.

Communication network 1314 can be any suitable combination of one ormore wired and/or wireless networks in some embodiments. For example,communication network 1314 can include any one or more of the Internet,an intranet, a wide-area network (WAN), a local-area network (LAN), awireless network, a digital subscriber line (DSL) network, a frame relaynetwork, an asynchronous transfer mode (ATM) network, a virtual privatenetwork (VPN), and/or any other suitable communication network. Userdevices 1316 can be connected by one or more communications links tocommunication network 1314 that can be linked via one or morecommunications links to any of servers 1302-1312. The communicationslinks can be any communications links suitable for communicating dataamong user devices 1316 and server 1302-1312, such as network links,dial-up links, wireless links, hard-wired links, any other suitablecommunications links, or any suitable combination of such links. In someembodiments, connection to communication network 1314 can be through anysuitable device, such as a network router.

User devices 1316 can include any one or more user devices (such as userdevice 1318 and/or 1320) suitable for accessing and using any websites,apps, and/or services. For example, in some embodiments, user devices1316 can include a mobile device, such as a mobile phone, a tabletcomputer, a wearable computer, a laptop computer, a vehicle (e.g., acar, a boat, an airplane, or any other suitable vehicle) informationand/or entertainment system, and/or any other suitable mobile device. Asanother example, in some embodiments, user devices 1316 can include anon-mobile device, such as a television, a projector device, a gameconsole, desktop computer, and/or any other suitable non-mobile device.

Although servers 1302-1312 are illustrated as multiple devices, thefunctions performed by servers 1302-1312 can be performed using anysuitable number of devices (including only one) in some embodiments. Forexample, in some embodiments, one, two, three, or more devices can beused to implement the functions performed by servers 1302-1312.

Although two user devices 1318 and 1320 are shown in FIG. 13 to avoidover-complicating the figure, any suitable number of user devices(including only one), and/or any suitable types of user devices, can beused in some embodiments.

Servers 1302-1312 and user devices 1316 can be implemented using anysuitable hardware in some embodiments. For example, in some embodiments,servers 1302-1312 and user devices 1316 can be implemented using anysuitable general purpose computer or special purpose computer. Forexample, a mobile phone may be implemented using a special purposecomputer. Any such general purpose computer or special purpose computercan include any suitable hardware. For example, as illustrated inexample hardware 1400 of FIG. 14, such hardware can include hardwareprocessor 1402, memory and/or storage 1404, an input device controller1406, an input device 1408, display/audio drivers 1410, display andaudio output circuitry 1412, communication interface(s) 1414, an antenna1416, and a bus 1418.

Hardware processor 1402 can include any suitable hardware processor,such as a microprocessor, a micro-controller, digital signalprocessor(s), dedicated logic, and/or any other suitable circuitry forcontrolling the functioning of a general-purpose computer or a specialpurpose computer in some embodiments. In some embodiments, hardwareprocessor 1402 can be controlled by a computer program stored in memoryand/or storage 1404 of a user device 1316. For example, in someembodiments, the computer program can cause hardware processor 1402 torequest a username or signature to log-in to an application executing onuser device 1316, present indications of available websites, apps,and/or services, cause a username and password to be automaticallyentered to log-in to a selected website, app, and/or service and/orperform any other suitable functions. In some embodiments, hardwareprocessor 1402 can be controlled by a server program stored in memoryand/or storage 1404 any of servers 1302-1312. For example, in someembodiments, the server program can cause hardware processor 1402 toverify a biometric signature of a user, verify a username of a user,store credentials associated with different user accounts, and/orperform any other suitable functions.

Memory and/or storage 1404 can be any suitable memory and/or storage forstoring programs, data, media content, and/or any other suitableinformation in some embodiments. For example, memory and/or storage 1404can include random access memory, read-only memory, flash memory, harddisk storage, optical media, and/or any other suitable memory.

Input device controller 1406 can be any suitable circuitry forcontrolling and receiving input from one or more input devices 1408 insome embodiments. For example, input device controller 1406 can becircuitry for receiving input from a touchscreen, from a keyboard, froma mouse, from one or more buttons, from a voice recognition circuit,from a microphone, from a camera, from an optical sensor, from anaccelerometer, from a temperature sensor, from a near field sensor,and/or any other type of input device.

Display/audio drivers 1410 can be any suitable circuitry for controllingand driving output to one or more display/audio output devices 1412 insome embodiments. For example, display/audio drivers 1410 can becircuitry for driving a touchscreen, a flat-panel display, a cathode raytube display, a projector, a speaker or speakers, and/or any othersuitable display and/or presentation devices.

Communication interface(s) 1414 can be any suitable circuitry forinterfacing with one or more communication networks, such as network1314 as shown in FIG. 13. For example, interface(s) 1414 can includenetwork interface card circuitry, wireless communication circuitry,and/or any other suitable type of communication network circuitry.

Antenna 1416 can be any suitable one or more antennas for wirelesslycommunicating with a communication network (e.g., communication network1314) in some embodiments. In some embodiments, antenna 1416 can beomitted.

Bus 1418 can be any suitable mechanism for communicating between two ormore components 1402, 1404, 1406, 1410, and 1414 in some embodiments.

Any other suitable components can be included in hardware 1400 inaccordance with some embodiments.

In some embodiments, at least some of the above described blocks of theprocesses of FIGS. 8-12 can be executed or performed in any order orsequence not limited to the order and sequence shown in and described inconnection with the figures. Also, some of the above blocks of FIGS.8-12 can be executed or performed substantially simultaneously whereappropriate or in parallel to reduce latency and processing times.Additionally or alternatively, some of the above described blocks of theprocesses of FIGS. 8-12 can be omitted.

In some embodiments, any suitable computer readable media can be usedfor storing instructions for performing the functions and/or processesherein. For example, in some embodiments, computer readable media can betransitory or non-transitory. For example, non-transitory computerreadable media can include media such as non-transitory forms ofmagnetic media (such as hard disks, floppy disks, and/or any othersuitable magnetic media), non-transitory forms of optical media (such ascompact discs, digital video discs, Blu-ray discs, and/or any othersuitable optical media), non-transitory forms of semiconductor media(such as flash memory, electrically programmable read-only memory(EPROM), electrically erasable programmable read-only memory (EEPROM),and/or any other suitable semiconductor media), any suitable media thatis not fleeting or devoid of any semblance of permanence duringtransmission, and/or any suitable tangible media. As another example,transitory computer readable media can include signals on networks, inwires, conductors, optical fibers, circuits, any suitable media that isfleeting and devoid of any semblance of permanence during transmission,and/or any suitable intangible media.

Accordingly, methods, systems, and media for managing user credentialsare provided.

Although the invention has been described and illustrated in theforegoing illustrative embodiments, it is understood that the presentdisclosure has been made only by way of example, and that numerouschanges in the details of implementation of the invention can be madewithout departing from the spirit and scope of the invention, which islimited only by the claims that follow. Features of the disclosedembodiments can be combined and rearranged in various ways.

What is claimed is:
 1. A system for managing user credentials,comprising: a memory; and at least one hardware processor that iscoupled to the memory and that is configured to: receive: a firstusername corresponding to a first user account of an application formanaging user credentials; and a biometric signature of a user; inresponse to determining that the biometric signature of the user matchesa stored signature corresponding to the first user account, causeindications of a group of available services to be presented; receive aselection of a service of the group of available services as a selectedservice; transmit, to a server, an identifier corresponding to theselected service; receive, from the server, an encrypted username and anencrypted password corresponding to a second user account of theselected service; as part of a single process, decrypt the encryptedusername and the encrypted password, resulting in a decrypted usernameand a decrypted password, wherein decrypting the encrypted username andthe encrypted password comprises retrieving a private PKI key associatedwith the first user account from a hardware server separate from thehardware processor and a private PKI key associated with the applicationfrom the memory and decrypting the encrypted username and the encryptedpassword using the private PKI key associated with the first useraccount and the private PKI key associated with the application; loginto the selected service using the decrypted username and the decryptedpassword; wait for the second user account to be authenticated using thedecrypted username and the decrypted password and for a subsequent pageto be loaded; and in response to the second user account beingauthenticated using the decrypted username and the decrypted passwordand to the subsequent page being loaded: generate an updated password bygenerating a plurality of random characters; encrypt the updatedpassword; cause, using the script, a password associated with the seconduser account to be changed to the updated password; and transmit theencrypted password in connection with the identifier corresponding tothe selected service to the server.
 2. The system of claim 1, whereinencrypting the updated password comprises retrieving a public PKI keyassociated with the first user account and a public PKI key associatedwith the application, wherein the updated password is encrypted usingthe public PKI key associated with the first user account and the publicPKI key associated with the application.
 3. The system of claim 1,wherein the biometric signature is received via a touchscreen.
 4. Thesystem of claim 1, wherein the at least one hardware processor isfurther configured to: receive, via a user interface presented inconnection with the application, a selection of a new service to beincluded in the group of available services; receive a username and apassword corresponding to a third user account of the new service;encrypt the username and the password; transmit the encrypted usernameand the encrypted password to the server in connection with anidentifier of the new service; and update the group of availableservices to include the new service.
 5. A method for managing usercredentials, comprising: receiving, at a user device, a first usernamecorresponding to a first user account of an application for managinguser credentials and a biometric signature of a user of the user device;in response to determining that the biometric signature of the usermatches a stored signature corresponding to the first user account,causing indications of a group of available services to be presented onthe user device; receiving, at the user device, a selection of a serviceof the group of available services as a selected service; transmitting,to a server, an identifier corresponding to the selected service;receiving, from the server, an encrypted username and an encryptedpassword corresponding to a second user account of the selected service;as part of a single process, decrypting the encrypted username and theencrypted password, resulting in a decrypted username and a decryptedpassword, wherein decrypting the encrypted username and the encryptedpassword comprises retrieving a private PKI key associated with thefirst user account from a hardware server separate from the user deviceand a private PKI key associated with the application from a memory ofthe user device and decrypting the encrypted username and the encryptedpassword using the private PKI key associated with the first useraccount and the private PKI key associated with the application;logging-in to the selected service using the decrypted username and thedecrypted password; waiting for the second user account to beauthenticated using the decrypted username and the decrypted passwordand for a subsequent page to be loaded; and in response to the seconduser account being authenticated using the decrypted username and thedecrypted password and to the subsequent page being loaded: generatingan updated password by generating a plurality of random characters;encrypting the updated password; causing, using the script, a passwordassociated with the second user account to be changed to the updatedpassword; and transmitting the encrypted password in connection with theidentifier corresponding to the selected service to the server.
 6. Themethod of claim 5, wherein encrypting the updated password comprisesretrieving a public PKI key associated with the first user account and apublic PKI key associated with the application, wherein the updatedpassword is encrypted using the public PKI key associated with the firstuser account and the public PKI key associated with the application. 7.The method of claim 5, wherein the biometric signature is received via atouchscreen associated with the user device.
 8. The method of claim 5,further comprising: receiving, via a user interface presented inconnection with the application, a selection of a new service to beincluded in the group of available services; receiving a username and apassword corresponding to a third user account of the new service;encrypting the username and the password; transmitting the encryptedusername and the encrypted password to the server in connection with anidentifier of the new service; and updating the group of availableservices to include the new service.
 9. A non-transitorycomputer-readable medium containing computer executable instructionsthat, when executed by a processor, cause the processor to perform amethod for managing user credentials, the method comprising: receiving,at a user device, a first username corresponding to a first user accountof an application for managing user credentials and a biometricsignature of a user of the user device; in response to determining thatthe biometric signature of the user matches a stored signaturecorresponding to the first user account, causing indications of a groupof available services to be presented on the user device; receiving, atthe user device, a selection of a service of the group of availableservices as a selected service; transmitting, to a server, an identifiercorresponding to the selected service; receiving, from the server, anencrypted username and an encrypted password corresponding to a seconduser account of the selected service; as part of a single process,decrypting the encrypted username and the encrypted password, resultingin a decrypted username and a decrypted password, wherein decrypting theencrypted username and the encrypted password comprises retrieving aprivate PKI key associated with the first user account from a hardwareserver separate from the user device and a private PKI key associatedwith the application from a memory of the user device and decrypting theencrypted username and the encrypted password using the private PKI keyassociated with the first user account and the private PKI keyassociated with the application; logging-in to the selected serviceusing the decrypted username and the decrypted password; waiting for thesecond user account to be authenticated using the decrypted username andthe decrypted password and for a subsequent page to be loaded; and inresponse to the second user account being authenticated using thedecrypted username and the decrypted password and to the subsequent pagebeing loaded: generating an updated password by generating a pluralityof random characters; encrypting the updated password; causing, usingthe script, a password associated with the second user account to bechanged to the updated password; and transmitting the encrypted passwordin connection with the identifier corresponding to the selected serviceto the server.
 10. The non-transitory computer-readable medium of claim9, wherein encrypting the updated password comprises retrieving a publicPKI key associated with the first user account and a public PKI keyassociated with the application, wherein the updated password isencrypted using the public PKI key associated with the first useraccount and the public PKI key associated with the application.
 11. Thenon-transitory computer-readable medium of claim 9, wherein thebiometric signature is received via a touchscreen associated with theuser device.
 12. The non-transitory computer-readable medium of claim 9,wherein the method further comprises: receiving, via a user interfacepresented in connection with the application, a selection of a newservice to be included in the group of available services; receiving ausername and a password corresponding to a third user account of the newservice; encrypting the username and the password; transmitting theencrypted username and the encrypted password to the server inconnection with an identifier of the new service; and updating the groupof available services to include the new service.